x509.c File Reference

X.509 certificates. More...

#include <stdlib.h>
#include <string.h>
#include <strings.h>
#include <errno.h>
#include <assert.h>
#include <ipxe/list.h>
#include <ipxe/base16.h>
#include <ipxe/asn1.h>
#include <ipxe/crypto.h>
#include <ipxe/md5.h>
#include <ipxe/sha1.h>
#include <ipxe/sha256.h>
#include <ipxe/rsa.h>
#include <ipxe/rootcert.h>
#include <ipxe/certstore.h>
#include <ipxe/privkey.h>
#include <ipxe/socket.h>
#include <ipxe/in.h>
#include <ipxe/image.h>
#include <ipxe/ocsp.h>
#include <ipxe/x509.h>
#include <config/crypto.h>

Go to the source code of this file.

Macros
#define	ENOTSUP_ALGORITHM   __einfo_error ( EINFO_ENOTSUP_ALGORITHM )
#define	EINFO_ENOTSUP_ALGORITHM   __einfo_uniqify ( EINFO_ENOTSUP, 0x01, "Unsupported algorithm" )
#define	ENOTSUP_EXTENSION   __einfo_error ( EINFO_ENOTSUP_EXTENSION )
#define	EINFO_ENOTSUP_EXTENSION   __einfo_uniqify ( EINFO_ENOTSUP, 0x02, "Unsupported extension" )
#define	EINVAL_ALGORITHM   __einfo_error ( EINFO_EINVAL_ALGORITHM )
#define	EINFO_EINVAL_ALGORITHM   __einfo_uniqify ( EINFO_EINVAL, 0x01, "Invalid algorithm type" )
#define	EINVAL_ALGORITHM_MISMATCH   __einfo_error ( EINFO_EINVAL_ALGORITHM_MISMATCH )
#define	EINFO_EINVAL_ALGORITHM_MISMATCH   __einfo_uniqify ( EINFO_EINVAL, 0x04, "Signature algorithm mismatch" )
#define	EINVAL_PATH_LEN   __einfo_error ( EINFO_EINVAL_PATH_LEN )
#define	EINFO_EINVAL_PATH_LEN   __einfo_uniqify ( EINFO_EINVAL, 0x05, "Invalid pathLenConstraint" )
#define	EINVAL_VERSION   __einfo_error ( EINFO_EINVAL_VERSION )
#define	EINFO_EINVAL_VERSION   __einfo_uniqify ( EINFO_EINVAL, 0x06, "Invalid version" )
#define	EACCES_WRONG_ISSUER   __einfo_error ( EINFO_EACCES_WRONG_ISSUER )
#define	EINFO_EACCES_WRONG_ISSUER   __einfo_uniqify ( EINFO_EACCES, 0x01, "Wrong issuer" )
#define	EACCES_NOT_CA   __einfo_error ( EINFO_EACCES_NOT_CA )
#define	EINFO_EACCES_NOT_CA   __einfo_uniqify ( EINFO_EACCES, 0x02, "Not a CA certificate" )
#define	EACCES_KEY_USAGE   __einfo_error ( EINFO_EACCES_KEY_USAGE )
#define	EINFO_EACCES_KEY_USAGE   __einfo_uniqify ( EINFO_EACCES, 0x03, "Incorrect key usage" )
#define	EACCES_EXPIRED   __einfo_error ( EINFO_EACCES_EXPIRED )
#define	EINFO_EACCES_EXPIRED   __einfo_uniqify ( EINFO_EACCES, 0x04, "Expired (or not yet valid)" )
#define	EACCES_PATH_LEN   __einfo_error ( EINFO_EACCES_PATH_LEN )
#define	EINFO_EACCES_PATH_LEN   __einfo_uniqify ( EINFO_EACCES, 0x05, "Maximum path length exceeded" )
#define	EACCES_UNTRUSTED   __einfo_error ( EINFO_EACCES_UNTRUSTED )
#define	EINFO_EACCES_UNTRUSTED   __einfo_uniqify ( EINFO_EACCES, 0x06, "Untrusted root certificate" )
#define	EACCES_OUT_OF_ORDER   __einfo_error ( EINFO_EACCES_OUT_OF_ORDER )
#define	EINFO_EACCES_OUT_OF_ORDER   __einfo_uniqify ( EINFO_EACCES, 0x07, "Validation out of order" )
#define	EACCES_EMPTY   __einfo_error ( EINFO_EACCES_EMPTY )
#define	EINFO_EACCES_EMPTY   __einfo_uniqify ( EINFO_EACCES, 0x08, "Empty certificate chain" )
#define	EACCES_OCSP_REQUIRED   __einfo_error ( EINFO_EACCES_OCSP_REQUIRED )
#define	EINFO_EACCES_OCSP_REQUIRED   __einfo_uniqify ( EINFO_EACCES, 0x09, "OCSP check required" )
#define	EACCES_WRONG_NAME   __einfo_error ( EINFO_EACCES_WRONG_NAME )
#define	EINFO_EACCES_WRONG_NAME   __einfo_uniqify ( EINFO_EACCES, 0x0a, "Incorrect certificate name" )
#define	EACCES_USELESS   __einfo_error ( EINFO_EACCES_USELESS )
#define	EINFO_EACCES_USELESS   __einfo_uniqify ( EINFO_EACCES, 0x0b, "No usable certificates" )

Functions
	FILE_LICENCE (GPL2_OR_LATER_OR_UBDL)
	FILE_SECBOOT (PERMITTED)
static void	x509_free (struct refcnt *refcnt)
	Free X.509 certificate. More...
const char *	x509_name (struct x509_certificate *cert)
	Get X.509 certificate display name. More...
static int	x509_parse_version (struct x509_certificate *cert, const struct asn1_cursor *raw)
	Parse X.509 certificate version. More...
static int	x509_parse_serial (struct x509_certificate *cert, const struct asn1_cursor *raw)
	Parse X.509 certificate serial number. More...
static int	x509_parse_issuer (struct x509_certificate *cert, const struct asn1_cursor *raw)
	Parse X.509 certificate issuer. More...
static int	x509_parse_validity (struct x509_certificate *cert, const struct asn1_cursor *raw)
	Parse X.509 certificate validity. More...
static int	x509_parse_common_name (struct x509_certificate *cert, const struct asn1_cursor *raw)
	Parse X.509 certificate common name. More...
static int	x509_parse_subject (struct x509_certificate *cert, const struct asn1_cursor *raw)
	Parse X.509 certificate subject. More...
static int	x509_parse_public_key (struct x509_certificate *cert, const struct asn1_cursor *raw)
	Parse X.509 certificate public key information. More...
static int	x509_parse_basic_constraints (struct x509_certificate *cert, const struct asn1_cursor *raw)
	Parse X.509 certificate basic constraints. More...
static int	x509_parse_key_usage (struct x509_certificate *cert, const struct asn1_cursor *raw)
	Parse X.509 certificate key usage. More...
static int	x509_parse_key_purpose (struct x509_certificate *cert, const struct asn1_cursor *raw)
	Parse X.509 certificate key purpose identifier. More...
static int	x509_parse_extended_key_usage (struct x509_certificate *cert, const struct asn1_cursor *raw)
	Parse X.509 certificate extended key usage. More...
static int	x509_parse_ocsp (struct x509_certificate *cert, const struct asn1_cursor *raw)
	Parse X.509 certificate OCSP access method. More...
static struct x509_access_method *	x509_find_access_method (const struct asn1_cursor *oid)
	Identify X.509 access method by OID. More...
static int	x509_parse_access_description (struct x509_certificate *cert, const struct asn1_cursor *raw)
	Parse X.509 certificate access description. More...
static int	x509_parse_authority_info_access (struct x509_certificate *cert, const struct asn1_cursor *raw)
	Parse X.509 certificate authority information access. More...
static int	x509_parse_subject_alt_name (struct x509_certificate *cert, const struct asn1_cursor *raw)
	Parse X.509 certificate subject alternative name. More...
static struct x509_extension *	x509_find_extension (const struct asn1_cursor *oid)
	Identify X.509 extension by OID. More...
static int	x509_parse_extension (struct x509_certificate *cert, const struct asn1_cursor *raw)
	Parse X.509 certificate extension. More...
static int	x509_parse_extensions (struct x509_certificate *cert, const struct asn1_cursor *raw)
	Parse X.509 certificate extensions, if present. More...
static int	x509_parse_tbscertificate (struct x509_certificate *cert, const struct asn1_cursor *raw)
	Parse X.509 certificate tbsCertificate. More...
int	x509_parse (struct x509_certificate *cert, const struct asn1_cursor *raw)
	Parse X.509 certificate from ASN.1 data. More...
int	x509_certificate (const void *data, size_t len, struct x509_certificate **cert)
	Create X.509 certificate. More...
static int	x509_check_signature (struct x509_certificate *cert, struct x509_public_key *public_key)
	Check X.509 certificate signature. More...
int	x509_check_issuer (struct x509_certificate *cert, struct x509_certificate *issuer)
	Check X.509 certificate against issuer certificate. More...
void	x509_fingerprint (struct x509_certificate *cert, struct digest_algorithm *digest, void *fingerprint)
	Calculate X.509 certificate fingerprint. More...
int	x509_check_root (struct x509_certificate *cert, struct x509_root *root)
	Check X.509 root certificate. More...
int	x509_check_time (struct x509_certificate *cert, time_t time)
	Check X.509 certificate validity period. More...
int	x509_is_valid (struct x509_certificate *cert, struct x509_root *root)
	Check if X.509 certificate is valid. More...
void	x509_set_valid (struct x509_certificate *cert, struct x509_certificate *issuer, struct x509_root *root)
	Set X.509 certificate as validated. More...
int	x509_validate (struct x509_certificate *cert, struct x509_certificate *issuer, time_t time, struct x509_root *root)
	Validate X.509 certificate. More...
static int	x509_check_dnsname (struct x509_certificate *cert, const struct asn1_cursor *raw, const char *name)
	Check X.509 certificate alternative dNSName. More...
static int	x509_check_ipaddress (struct x509_certificate *cert, const struct asn1_cursor *raw, const char *name)
	Check X.509 certificate alternative iPAddress. More...
static int	x509_check_alt_name (struct x509_certificate *cert, const struct asn1_cursor *raw, const char *name)
	Check X.509 certificate alternative name. More...
int	x509_check_name (struct x509_certificate *cert, const char *name)
	Check X.509 certificate name. More...
static void	x509_free_chain (struct refcnt *refcnt)
	Free X.509 certificate chain. More...
struct x509_chain *	x509_alloc_chain (void)
	Allocate X.509 certificate chain. More...
int	x509_append (struct x509_chain *chain, struct x509_certificate *cert)
	Append X.509 certificate to X.509 certificate chain. More...
int	x509_append_raw (struct x509_chain *chain, const void *data, size_t len)
	Append X.509 certificate to X.509 certificate chain. More...
void	x509_truncate (struct x509_chain *chain, struct x509_link *link)
	Truncate X.509 certificate chain. More...
static struct x509_certificate *	x509_found (struct x509_chain *store, struct x509_certificate *cert)
	Mark X.509 certificate as found. More...
struct x509_certificate *	x509_find (struct x509_chain *store, const struct asn1_cursor *raw)
	Identify X.509 certificate by raw certificate data. More...
struct x509_certificate *	x509_find_subject (struct x509_chain *store, const struct asn1_cursor *subject)
	Identify X.509 certificate by subject. More...
struct x509_certificate *	x509_find_issuer_serial (struct x509_chain *store, const struct asn1_cursor *issuer, const struct asn1_cursor *serial)
	Identify X.509 certificate by issuer and serial number. More...
struct x509_certificate *	x509_find_key (struct x509_chain *store, struct private_key *key)
	Identify X.509 certificate by corresponding public key. More...
int	x509_auto_append (struct x509_chain *chain, struct x509_chain *store)
	Append X.509 certificates to X.509 certificate chain. More...
int	x509_validate_chain (struct x509_chain *chain, time_t time, struct x509_chain *store, struct x509_root *root)
	Validate X.509 certificate chain. More...
int	image_x509 (struct image *image, size_t offset, struct x509_certificate **cert)
	Extract X.509 certificate object from image. More...
	REQUIRING_SYMBOL (x509_validate)
	REQUIRE_OBJECT (certstore)
	REQUIRE_OBJECT (config_crypto)

Variables
static uint8_t	oid_common_name [] = { ASN1_OID_COMMON_NAME }
	"commonName" object identifier More...
static struct asn1_cursor	oid_common_name_cursor
	"commonName" object identifier cursor More...
static uint8_t	oid_code_signing [] = { ASN1_OID_CODESIGNING }
	"id-kp-codeSigning" object identifier More...
static uint8_t	oid_ocsp_signing [] = { ASN1_OID_OCSPSIGNING }
	"id-kp-OCSPSigning" object identifier More...
static struct x509_key_purpose	x509_key_purposes []
	Supported key purposes. More...
static uint8_t	oid_ad_ocsp [] = { ASN1_OID_OCSP }
	"id-ad-ocsp" object identifier More...
static struct x509_access_method	x509_access_methods []
	Supported access methods. More...
static uint8_t	oid_ce_basic_constraints []
	"id-ce-basicConstraints" object identifier More...
static uint8_t	oid_ce_key_usage []
	"id-ce-keyUsage" object identifier More...
static uint8_t	oid_ce_ext_key_usage []
	"id-ce-extKeyUsage" object identifier More...
static uint8_t	oid_pe_authority_info_access []
	"id-pe-authorityInfoAccess" object identifier More...
static uint8_t	oid_ce_subject_alt_name []
	"id-ce-subjectAltName" object identifier More...
static struct x509_extension	x509_extensions []
	Supported certificate extensions. More...

Detailed Description

X.509 certificates.

The structure of X.509v3 certificates is documented in RFC 5280 section 4.1.

Definition in file x509.c.

Macro Definition Documentation

ENOTSUP_ALGORITHM

#define ENOTSUP_ALGORITHM   __einfo_error ( EINFO_ENOTSUP_ALGORITHM )

Definition at line 59 of file x509.c.

EINFO_ENOTSUP_ALGORITHM

#define EINFO_ENOTSUP_ALGORITHM   __einfo_uniqify ( EINFO_ENOTSUP, 0x01, "Unsupported algorithm" )

Definition at line 61 of file x509.c.

ENOTSUP_EXTENSION

#define ENOTSUP_EXTENSION   __einfo_error ( EINFO_ENOTSUP_EXTENSION )

Definition at line 63 of file x509.c.

EINFO_ENOTSUP_EXTENSION

#define EINFO_ENOTSUP_EXTENSION   __einfo_uniqify ( EINFO_ENOTSUP, 0x02, "Unsupported extension" )

Definition at line 65 of file x509.c.

EINVAL_ALGORITHM

#define EINVAL_ALGORITHM   __einfo_error ( EINFO_EINVAL_ALGORITHM )

Definition at line 67 of file x509.c.

EINFO_EINVAL_ALGORITHM

#define EINFO_EINVAL_ALGORITHM   __einfo_uniqify ( EINFO_EINVAL, 0x01, "Invalid algorithm type" )

Definition at line 69 of file x509.c.

EINVAL_ALGORITHM_MISMATCH

#define EINVAL_ALGORITHM_MISMATCH   __einfo_error ( EINFO_EINVAL_ALGORITHM_MISMATCH )

Definition at line 71 of file x509.c.

EINFO_EINVAL_ALGORITHM_MISMATCH

#define EINFO_EINVAL_ALGORITHM_MISMATCH   __einfo_uniqify ( EINFO_EINVAL, 0x04, "Signature algorithm mismatch" )

Definition at line 73 of file x509.c.

EINVAL_PATH_LEN

#define EINVAL_PATH_LEN   __einfo_error ( EINFO_EINVAL_PATH_LEN )

Definition at line 75 of file x509.c.

EINFO_EINVAL_PATH_LEN

#define EINFO_EINVAL_PATH_LEN   __einfo_uniqify ( EINFO_EINVAL, 0x05, "Invalid pathLenConstraint" )

Definition at line 77 of file x509.c.

EINVAL_VERSION

#define EINVAL_VERSION   __einfo_error ( EINFO_EINVAL_VERSION )

Definition at line 79 of file x509.c.

EINFO_EINVAL_VERSION

#define EINFO_EINVAL_VERSION   __einfo_uniqify ( EINFO_EINVAL, 0x06, "Invalid version" )

Definition at line 81 of file x509.c.

EACCES_WRONG_ISSUER

#define EACCES_WRONG_ISSUER   __einfo_error ( EINFO_EACCES_WRONG_ISSUER )

Definition at line 83 of file x509.c.

EINFO_EACCES_WRONG_ISSUER

#define EINFO_EACCES_WRONG_ISSUER   __einfo_uniqify ( EINFO_EACCES, 0x01, "Wrong issuer" )

Definition at line 85 of file x509.c.

EACCES_NOT_CA

#define EACCES_NOT_CA   __einfo_error ( EINFO_EACCES_NOT_CA )

Definition at line 87 of file x509.c.

EINFO_EACCES_NOT_CA

#define EINFO_EACCES_NOT_CA   __einfo_uniqify ( EINFO_EACCES, 0x02, "Not a CA certificate" )

Definition at line 89 of file x509.c.

EACCES_KEY_USAGE

#define EACCES_KEY_USAGE   __einfo_error ( EINFO_EACCES_KEY_USAGE )

Definition at line 91 of file x509.c.

EINFO_EACCES_KEY_USAGE

#define EINFO_EACCES_KEY_USAGE   __einfo_uniqify ( EINFO_EACCES, 0x03, "Incorrect key usage" )

Definition at line 93 of file x509.c.

EACCES_EXPIRED

#define EACCES_EXPIRED   __einfo_error ( EINFO_EACCES_EXPIRED )

Definition at line 95 of file x509.c.

EINFO_EACCES_EXPIRED

#define EINFO_EACCES_EXPIRED   __einfo_uniqify ( EINFO_EACCES, 0x04, "Expired (or not yet valid)" )

Definition at line 97 of file x509.c.

EACCES_PATH_LEN

#define EACCES_PATH_LEN   __einfo_error ( EINFO_EACCES_PATH_LEN )

Definition at line 99 of file x509.c.

EINFO_EACCES_PATH_LEN

#define EINFO_EACCES_PATH_LEN   __einfo_uniqify ( EINFO_EACCES, 0x05, "Maximum path length exceeded" )

Definition at line 101 of file x509.c.

EACCES_UNTRUSTED

#define EACCES_UNTRUSTED   __einfo_error ( EINFO_EACCES_UNTRUSTED )

Definition at line 103 of file x509.c.

EINFO_EACCES_UNTRUSTED

#define EINFO_EACCES_UNTRUSTED   __einfo_uniqify ( EINFO_EACCES, 0x06, "Untrusted root certificate" )

Definition at line 105 of file x509.c.

EACCES_OUT_OF_ORDER

#define EACCES_OUT_OF_ORDER   __einfo_error ( EINFO_EACCES_OUT_OF_ORDER )

Definition at line 107 of file x509.c.

EINFO_EACCES_OUT_OF_ORDER

#define EINFO_EACCES_OUT_OF_ORDER   __einfo_uniqify ( EINFO_EACCES, 0x07, "Validation out of order" )

Definition at line 109 of file x509.c.

EACCES_EMPTY

#define EACCES_EMPTY   __einfo_error ( EINFO_EACCES_EMPTY )

Definition at line 111 of file x509.c.

EINFO_EACCES_EMPTY

#define EINFO_EACCES_EMPTY   __einfo_uniqify ( EINFO_EACCES, 0x08, "Empty certificate chain" )

Definition at line 113 of file x509.c.

EACCES_OCSP_REQUIRED

#define EACCES_OCSP_REQUIRED   __einfo_error ( EINFO_EACCES_OCSP_REQUIRED )

Definition at line 115 of file x509.c.

EINFO_EACCES_OCSP_REQUIRED

#define EINFO_EACCES_OCSP_REQUIRED   __einfo_uniqify ( EINFO_EACCES, 0x09, "OCSP check required" )

Definition at line 117 of file x509.c.

EACCES_WRONG_NAME

#define EACCES_WRONG_NAME   __einfo_error ( EINFO_EACCES_WRONG_NAME )

Definition at line 119 of file x509.c.

EINFO_EACCES_WRONG_NAME

#define EINFO_EACCES_WRONG_NAME   __einfo_uniqify ( EINFO_EACCES, 0x0a, "Incorrect certificate name" )

Definition at line 121 of file x509.c.

EACCES_USELESS

#define EACCES_USELESS   __einfo_error ( EINFO_EACCES_USELESS )

Definition at line 123 of file x509.c.

EINFO_EACCES_USELESS

#define EINFO_EACCES_USELESS   __einfo_uniqify ( EINFO_EACCES, 0x0b, "No usable certificates" )

Definition at line 125 of file x509.c.

Function Documentation

FILE_LICENCE()

FILE_LICENCE

(

GPL2_OR_LATER_OR_UBDL

)

FILE_SECBOOT()

FILE_SECBOOT

(

PERMITTED

)

x509_free()

static void x509_free ( struct refcnt *  refcnt )

static

Free X.509 certificate.

Parameters

refcnt

Reference count

Definition at line 133 of file x509.c.

                                                {
        struct x509_certificate *cert =
                container_of ( refcnt, struct x509_certificate, refcnt );

        x509_root_put ( cert->root );
        free ( cert );
}

References container_of, free, x509_certificate::root, and x509_root_put().

Referenced by x509_certificate().

x509_name()

const char* x509_name

(

struct x509_certificate *

cert

)

Get X.509 certificate display name.

Parameters

cert	X.509 certificate

Return values

name	Display name

Definition at line 147 of file x509.c.

                                                         {
        struct asn1_cursor *common_name = &cert->subject.common_name;
        struct digest_algorithm *digest = &sha1_algorithm;
        static char buf[64];
        uint8_t fingerprint[ digest->digestsize ];
        size_t len;

        len = common_name->len;
        if ( len ) {
                /* Certificate has a commonName: use that */
                if ( len > ( sizeof ( buf ) - 1 /* NUL */ ) )
                        len = ( sizeof ( buf ) - 1 /* NUL */ );
                memcpy ( buf, common_name->data, len );
                buf[len] = '\0';
        } else {
                /* Certificate has no commonName: use SHA-1 fingerprint */
                x509_fingerprint ( cert, digest, fingerprint );
                base16_encode ( fingerprint, sizeof ( fingerprint ),
                                buf, sizeof ( buf ) );
        }
        return buf;
}

References x509_subject::common_name, asn1_cursor::data, digest_algorithm::digestsize, asn1_cursor::len, len, memcpy(), sha1_algorithm, x509_certificate::subject, and x509_fingerprint().

Referenced by certstat(), certstore_add(), certstore_apply_settings(), certstore_del(), certstore_found(), certstore_init(), cms_parse_certificates(), efi_cacert(), icert_encode(), ocsp_check_signature(), ocsp_parse_basic_response(), ocsp_parse_cert_id(), ocsp_parse_certs(), ocsp_parse_responder_id(), ocsp_parse_response_status(), ocsp_parse_response_type(), ocsp_parse_responses(), ocsp_request(), ocsp_uri_string(), ocsp_validate(), tls_new_certificate_request(), tls_parse_chain(), tls_send_certificate(), validator_append(), validator_name(), validator_ocsp_validate(), validator_progress(), validator_start_download(), validator_start_ocsp(), validator_step(), x509_append(), x509_check_alt_name(), x509_check_dnsname(), x509_check_ipaddress(), x509_check_issuer(), x509_check_name(), x509_check_root(), x509_check_signature(), x509_check_time(), x509_parse_subject(), and x509_validate().

x509_parse_version()

static int x509_parse_version ( struct x509_certificate *  cert, const struct asn1_cursor *  raw  )

static

Parse X.509 certificate version.

Parameters

cert	X.509 certificate
raw	ASN.1 cursor

Return values

rc	Return status code

Definition at line 184 of file x509.c.

                                                                {
        struct asn1_cursor cursor;
        int version;
        int rc;

        /* Enter version */
        memcpy ( &cursor, raw, sizeof ( cursor ) );
        asn1_enter ( &cursor, ASN1_EXPLICIT_TAG ( 0 ) );

        /* Parse integer */
        if ( ( rc = asn1_integer ( &cursor, &version ) ) != 0 ) {
                DBGC ( cert, "X509 %p cannot parse version: %s\n",
                       cert, strerror ( rc ) );
                DBGC_HDA ( cert, 0, raw->data, raw->len );
                return rc;
        }

        /* Sanity check */
        if ( version < 0 ) {
                DBGC ( cert, "X509 %p invalid version %d\n", cert, version );
                DBGC_HDA ( cert, 0, raw->data, raw->len );
                return -EINVAL_VERSION;
        }

        /* Record version */
        cert->version = version;
        DBGC2 ( cert, "X509 %p is a version %d certificate\n",
                cert, ( cert->version + 1 ) );

        return 0;
}

References asn1_enter(), ASN1_EXPLICIT_TAG, asn1_integer(), DBGC, DBGC2, DBGC_HDA, EINVAL_VERSION, memcpy(), raw, rc, strerror(), x509_certificate::version, and version.

Referenced by x509_parse_tbscertificate().

x509_parse_serial()

static int x509_parse_serial ( struct x509_certificate *  cert, const struct asn1_cursor *  raw  )

static

Parse X.509 certificate serial number.

Parameters

cert	X.509 certificate
raw	ASN.1 cursor

Return values

rc	Return status code

Definition at line 224 of file x509.c.

                                                               {
        struct x509_serial *serial = &cert->serial;
        int rc;

        /* Record raw serial number */
        memcpy ( &serial->raw, raw, sizeof ( serial->raw ) );
        if ( ( rc = asn1_shrink ( &serial->raw, ASN1_INTEGER ) ) != 0 ) {
                DBGC ( cert, "X509 %p cannot shrink serialNumber: %s\n",
                       cert, strerror ( rc ) );
                return rc;
        }
        DBGC2 ( cert, "X509 %p serial is:\n", cert );
        DBGC2_HDA ( cert, 0, serial->raw.data, serial->raw.len );

        return 0;
}

References ASN1_INTEGER, asn1_shrink(), DBGC, DBGC2, DBGC2_HDA, memcpy(), raw, rc, serial, x509_certificate::serial, and strerror().

Referenced by x509_parse_tbscertificate().

x509_parse_issuer()

static int x509_parse_issuer ( struct x509_certificate *  cert, const struct asn1_cursor *  raw  )

static

Parse X.509 certificate issuer.

Parameters

cert	X.509 certificate
raw	ASN.1 cursor

Return values

rc	Return status code

Definition at line 249 of file x509.c.

                                                               {
        struct x509_issuer *issuer = &cert->issuer;
        int rc;

        /* Record raw issuer */
        memcpy ( &issuer->raw, raw, sizeof ( issuer->raw ) );
        if ( ( rc = asn1_shrink ( &issuer->raw, ASN1_SEQUENCE ) ) != 0 ) {
                DBGC ( cert, "X509 %p cannot shrink issuer: %s\n",
                       cert, strerror ( rc ) );
                return rc;
        }
        DBGC2 ( cert, "X509 %p issuer is:\n", cert );
        DBGC2_HDA ( cert, 0, issuer->raw.data, issuer->raw.len );

        return 0;
}

References ASN1_SEQUENCE, asn1_shrink(), asn1_cursor::data, DBGC, DBGC2, DBGC2_HDA, x509_certificate::issuer, asn1_cursor::len, memcpy(), raw, x509_issuer::raw, rc, and strerror().

Referenced by x509_parse_tbscertificate().

x509_parse_validity()

static int x509_parse_validity ( struct x509_certificate *  cert, const struct asn1_cursor *  raw  )

static

Parse X.509 certificate validity.

Parameters

cert	X.509 certificate
raw	ASN.1 cursor

Return values

rc	Return status code

Definition at line 274 of file x509.c.

                                                                 {
        struct x509_validity *validity = &cert->validity;
        struct x509_time *not_before = &validity->not_before;
        struct x509_time *not_after = &validity->not_after;
        struct asn1_cursor cursor;
        int rc;

        /* Enter validity */
        memcpy ( &cursor, raw, sizeof ( cursor ) );
        asn1_enter ( &cursor, ASN1_SEQUENCE );

        /* Parse notBefore */
        if ( ( rc = asn1_generalized_time ( &cursor,
                                            &not_before->time ) ) != 0 ) {
                DBGC ( cert, "X509 %p cannot parse notBefore: %s\n",
                       cert, strerror ( rc ) );
                return rc;
        }
        DBGC2 ( cert, "X509 %p valid from time %lld\n",
                cert, not_before->time );
        asn1_skip_any ( &cursor );

        /* Parse notAfter */
        if ( ( rc = asn1_generalized_time ( &cursor,
                                            &not_after->time ) ) != 0 ) {
                DBGC ( cert, "X509 %p cannot parse notAfter: %s\n",
                       cert, strerror ( rc ) );
                return rc;
        }
        DBGC2 ( cert, "X509 %p valid until time %lld\n",
                cert, not_after->time );

        return 0;
}

References asn1_enter(), asn1_generalized_time(), ASN1_SEQUENCE, asn1_skip_any(), DBGC, DBGC2, memcpy(), x509_validity::not_after, x509_validity::not_before, raw, rc, strerror(), x509_time::time, and x509_certificate::validity.

Referenced by x509_parse_tbscertificate().

x509_parse_common_name()

static int x509_parse_common_name ( struct x509_certificate *  cert, const struct asn1_cursor *  raw  )

static

Parse X.509 certificate common name.

Parameters

cert	X.509 certificate
raw	ASN.1 cursor

Return values

rc	Return status code

Definition at line 317 of file x509.c.

                                                                    {
        struct asn1_cursor cursor;
        struct asn1_cursor oid_cursor;
        struct asn1_cursor name_cursor;
        int rc;

        /* Enter name */
        memcpy ( &cursor, raw, sizeof ( cursor ) );
        asn1_enter ( &cursor, ASN1_SEQUENCE );

        /* Scan through name list */
        for ( ; cursor.len ; asn1_skip_any ( &cursor ) ) {

                /* Check for "commonName" OID */
                memcpy ( &oid_cursor, &cursor, sizeof ( oid_cursor ) );
                asn1_enter ( &oid_cursor, ASN1_SET );
                asn1_enter ( &oid_cursor, ASN1_SEQUENCE );
                memcpy ( &name_cursor, &oid_cursor, sizeof ( name_cursor ) );
                asn1_enter ( &oid_cursor, ASN1_OID );
                if ( asn1_compare ( &oid_common_name_cursor, &oid_cursor ) != 0)
                        continue;
                asn1_skip_any ( &name_cursor );
                if ( ( rc = asn1_enter_any ( &name_cursor ) ) != 0 ) {
                        DBGC ( cert, "X509 %p cannot locate name:\n", cert );
                        DBGC_HDA ( cert, 0, raw->data, raw->len );
                        return rc;
                }

                /* Record common name */
                memcpy ( &cert->subject.common_name, &name_cursor,
                         sizeof ( cert->subject.common_name ) );

                return 0;
        }

        /* Certificates may not have a commonName */
        DBGC2 ( cert, "X509 %p no commonName found:\n", cert );
        return 0;
}

References asn1_compare(), asn1_enter(), asn1_enter_any(), ASN1_OID, ASN1_SEQUENCE, ASN1_SET, asn1_skip_any(), x509_subject::common_name, DBGC, DBGC2, DBGC_HDA, asn1_cursor::len, memcpy(), oid_common_name_cursor, raw, rc, and x509_certificate::subject.

Referenced by x509_parse_subject().

x509_parse_subject()

static int x509_parse_subject ( struct x509_certificate *  cert, const struct asn1_cursor *  raw  )

static

Parse X.509 certificate subject.

Parameters

cert	X.509 certificate
raw	ASN.1 cursor

Return values

rc	Return status code

Definition at line 365 of file x509.c.

                                                                {
        struct x509_subject *subject = &cert->subject;
        int rc;

        /* Record raw subject */
        memcpy ( &subject->raw, raw, sizeof ( subject->raw ) );
        asn1_shrink_any ( &subject->raw );
        DBGC2 ( cert, "X509 %p subject is:\n", cert );
        DBGC2_HDA ( cert, 0, subject->raw.data, subject->raw.len );

        /* Parse common name */
        if ( ( rc = x509_parse_common_name ( cert, raw ) ) != 0 )
                return rc;
        DBGC2 ( cert, "X509 %p common name is \"%s\":\n", cert,
                x509_name ( cert ) );

        return 0;
}

References asn1_shrink_any(), asn1_cursor::data, DBGC2, DBGC2_HDA, asn1_cursor::len, memcpy(), raw, x509_subject::raw, rc, x509_certificate::subject, x509_name(), and x509_parse_common_name().

Referenced by x509_parse_tbscertificate().

x509_parse_public_key()

static int x509_parse_public_key ( struct x509_certificate *  cert, const struct asn1_cursor *  raw  )

static

Parse X.509 certificate public key information.

Parameters

cert	X.509 certificate
raw	ASN.1 cursor

Return values

rc	Return status code

Definition at line 392 of file x509.c.

                                                                   {
        struct x509_public_key *public_key = &cert->subject.public_key;
        struct asn1_algorithm **algorithm = &public_key->algorithm;
        struct asn1_cursor *value = &public_key->value;
        struct asn1_cursor cursor;
        int rc;

        /* Record raw subjectPublicKeyInfo */
        memcpy ( &cursor, raw, sizeof ( cursor ) );
        asn1_shrink_any ( &cursor );
        memcpy ( &public_key->raw, &cursor, sizeof ( public_key->raw ) );
        DBGC2 ( cert, "X509 %p public key is:\n", cert );
        DBGC2_HDA ( cert, 0, public_key->raw.data, public_key->raw.len );

        /* Enter subjectPublicKeyInfo */
        asn1_enter ( &cursor, ASN1_SEQUENCE );

        /* Parse algorithm */
        if ( ( rc = asn1_pubkey_algorithm ( &cursor, algorithm ) ) != 0 ) {
                DBGC ( cert, "X509 %p could not parse public key algorithm: "
                       "%s\n", cert, strerror ( rc ) );
                return rc;
        }
        DBGC2 ( cert, "X509 %p public key algorithm is %s\n",
                cert, (*algorithm)->name );
        asn1_skip_any ( &cursor );

        /* Parse subjectPublicKey */
        memcpy ( value, &cursor, sizeof ( *value ) );
        if ( ( rc = asn1_enter_bits ( value, NULL ) ) != 0 ) {
                DBGC ( cert, "X509 %p could not parse public key bits: %s\n",
                       cert, strerror ( rc ) );
                return rc;
        }

        return 0;
}

References x509_public_key::algorithm, algorithm, asn1_enter(), asn1_enter_bits(), asn1_pubkey_algorithm(), ASN1_SEQUENCE, asn1_shrink_any(), asn1_skip_any(), asn1_cursor::data, DBGC, DBGC2, DBGC2_HDA, asn1_cursor::len, memcpy(), NULL, x509_subject::public_key, raw, x509_public_key::raw, rc, strerror(), x509_certificate::subject, value, and x509_public_key::value.

Referenced by x509_parse_tbscertificate().

x509_parse_basic_constraints()

static int x509_parse_basic_constraints ( struct x509_certificate *  cert, const struct asn1_cursor *  raw  )

static

Parse X.509 certificate basic constraints.

Parameters

cert	X.509 certificate
raw	ASN.1 cursor

Return values

rc	Return status code

Definition at line 438 of file x509.c.

                                                                          {
        struct x509_basic_constraints *basic = &cert->extensions.basic;
        struct asn1_cursor cursor;
        int ca = 0;
        int path_len;
        int rc;

        /* Enter basicConstraints */
        memcpy ( &cursor, raw, sizeof ( cursor ) );
        asn1_enter ( &cursor, ASN1_SEQUENCE );

        /* Parse "cA", if present */
        if ( asn1_type ( &cursor ) == ASN1_BOOLEAN ) {
                ca = asn1_boolean ( &cursor );
                if ( ca < 0 ) {
                        rc = ca;
                        DBGC ( cert, "X509 %p cannot parse cA: %s\n",
                               cert, strerror ( rc ) );
                        DBGC_HDA ( cert, 0, raw->data, raw->len );
                        return rc;
                }
                asn1_skip_any ( &cursor );
        }
        basic->ca = ca;
        DBGC2 ( cert, "X509 %p is %sa CA certificate\n",
                cert, ( basic->ca ? "" : "not " ) );

        /* Ignore everything else unless "cA" is true */
        if ( ! ca )
                return 0;

        /* Parse "pathLenConstraint", if present and applicable */
        basic->path_len = X509_PATH_LEN_UNLIMITED;
        if ( asn1_type ( &cursor ) == ASN1_INTEGER ) {
                if ( ( rc = asn1_integer ( &cursor, &path_len ) ) != 0 ) {
                        DBGC ( cert, "X509 %p cannot parse pathLenConstraint: "
                               "%s\n", cert, strerror ( rc ) );
                        DBGC_HDA ( cert, 0, raw->data, raw->len );
                        return rc;
                }
                if ( path_len < 0 ) {
                        DBGC ( cert, "X509 %p invalid pathLenConstraint %d\n",
                               cert, path_len );
                        DBGC_HDA ( cert, 0, raw->data, raw->len );
                        return -EINVAL;
                }
                basic->path_len = path_len;
                DBGC2 ( cert, "X509 %p path length constraint is %d\n",
                        cert, basic->path_len );
        }

        return 0;
}

References ASN1_BOOLEAN, asn1_boolean(), asn1_enter(), ASN1_INTEGER, asn1_integer(), ASN1_SEQUENCE, asn1_skip_any(), asn1_type(), x509_extensions::basic, x509_basic_constraints::ca, DBGC, DBGC2, DBGC_HDA, EINVAL, x509_certificate::extensions, memcpy(), x509_basic_constraints::path_len, raw, rc, strerror(), and X509_PATH_LEN_UNLIMITED.

x509_parse_key_usage()

static int x509_parse_key_usage ( struct x509_certificate *  cert, const struct asn1_cursor *  raw  )

static

Parse X.509 certificate key usage.

Parameters

cert	X.509 certificate
raw	ASN.1 cursor

Return values

rc	Return status code

Definition at line 500 of file x509.c.

                                                                  {
        struct x509_key_usage *usage = &cert->extensions.usage;
        struct asn1_cursor cursor;
        const uint8_t *bytes;
        unsigned int unused;
        size_t len;
        unsigned int i;
        int rc;

        /* Mark extension as present */
        usage->present = 1;

        /* Enter bit string */
        memcpy ( &cursor, raw, sizeof ( cursor ) );
        if ( ( rc = asn1_enter_bits ( &cursor, &unused ) ) != 0 ) {
                DBGC ( cert, "X509 %p could not parse key usage: %s\n",
                       cert, strerror ( rc ) );
                return rc;
        }

        /* Parse key usage bits */
        bytes = cursor.data;
        len = cursor.len;
        if ( len > sizeof ( usage->bits ) )
                len = sizeof ( usage->bits );
        for ( i = 0 ; i < len ; i++ ) {
                usage->bits |= ( *(bytes++) << ( 8 * i ) );
        }
        DBGC2 ( cert, "X509 %p key usage is %08x\n", cert, usage->bits );

        return 0;
}

References asn1_enter_bits(), x509_key_usage::bits, bytes, asn1_cursor::data, DBGC, DBGC2, x509_certificate::extensions, asn1_cursor::len, len, memcpy(), x509_key_usage::present, raw, rc, strerror(), unused, and x509_extensions::usage.

x509_parse_key_purpose()

static int x509_parse_key_purpose ( struct x509_certificate *  cert, const struct asn1_cursor *  raw  )

static

Parse X.509 certificate key purpose identifier.

Parameters

cert	X.509 certificate
raw	ASN.1 cursor

Return values

rc	Return status code

Definition at line 561 of file x509.c.

                                                                    {
        struct x509_extended_key_usage *ext_usage = &cert->extensions.ext_usage;
        struct x509_key_purpose *purpose;
        struct asn1_cursor cursor;
        unsigned int i;
        int rc;

        /* Enter keyPurposeId */
        memcpy ( &cursor, raw, sizeof ( cursor ) );
        if ( ( rc = asn1_enter ( &cursor, ASN1_OID ) ) != 0 ) {
                DBGC ( cert, "X509 %p invalid keyPurposeId:\n", cert );
                DBGC_HDA ( cert, 0, raw->data, raw->len );
                return rc;
        }

        /* Identify key purpose */
        for ( i = 0 ; i < ( sizeof ( x509_key_purposes ) /
                            sizeof ( x509_key_purposes[0] ) ) ; i++ ) {
                purpose = &x509_key_purposes[i];
                if ( asn1_compare ( &cursor, &purpose->oid ) == 0 ) {
                        DBGC2 ( cert, "X509 %p has key purpose %s\n",
                                cert, purpose->name );
                        ext_usage->bits |= purpose->bits;
                        return 0;
                }
        }

        /* Ignore unrecognised key purposes */
        return 0;
}

References asn1_compare(), asn1_enter(), ASN1_OID, x509_extended_key_usage::bits, x509_key_purpose::bits, DBGC, DBGC2, DBGC_HDA, x509_extensions::ext_usage, x509_certificate::extensions, memcpy(), x509_key_purpose::name, x509_key_purpose::oid, raw, rc, and x509_key_purposes.

Referenced by x509_parse_extended_key_usage().

x509_parse_extended_key_usage()

static int x509_parse_extended_key_usage ( struct x509_certificate *  cert, const struct asn1_cursor *  raw  )

static

Parse X.509 certificate extended key usage.

Parameters

cert	X.509 certificate
raw	ASN.1 cursor

Return values

rc	Return status code

Definition at line 600 of file x509.c.

                                                                           {
        struct asn1_cursor cursor;
        int rc;

        /* Enter extKeyUsage */
        memcpy ( &cursor, raw, sizeof ( cursor ) );
        asn1_enter ( &cursor, ASN1_SEQUENCE );

        /* Parse each extended key usage in turn */
        while ( cursor.len ) {
                if ( ( rc = x509_parse_key_purpose ( cert, &cursor ) ) != 0 )
                        return rc;
                asn1_skip_any ( &cursor );
        }

        return 0;
}

References asn1_enter(), ASN1_SEQUENCE, asn1_skip_any(), asn1_cursor::len, memcpy(), raw, rc, and x509_parse_key_purpose().

x509_parse_ocsp()

static int x509_parse_ocsp ( struct x509_certificate *  cert, const struct asn1_cursor *  raw  )

static

Parse X.509 certificate OCSP access method.

Parameters

cert	X.509 certificate
raw	ASN.1 cursor

Return values

rc	Return status code

Definition at line 626 of file x509.c.

                                                             {
        struct x509_ocsp_responder *ocsp = &cert->extensions.auth_info.ocsp;
        struct asn1_cursor *uri = &ocsp->uri;
        int rc;

        /* Enter accessLocation */
        memcpy ( uri, raw, sizeof ( *uri ) );
        if ( ( rc = asn1_enter ( uri, X509_GENERAL_NAME_URI ) ) != 0 ) {
                DBGC ( cert, "X509 %p OCSP does not contain "
                       "uniformResourceIdentifier:\n", cert );
                DBGC_HDA ( cert, 0, raw->data, raw->len );
                return rc;
        }
        DBGC2 ( cert, "X509 %p OCSP URI is:\n", cert );
        DBGC2_HDA ( cert, 0, uri->data, uri->len );

        return 0;
}

References asn1_enter(), x509_extensions::auth_info, DBGC, DBGC2, DBGC2_HDA, DBGC_HDA, x509_certificate::extensions, memcpy(), x509_authority_info_access::ocsp, raw, rc, x509_ocsp_responder::uri, and X509_GENERAL_NAME_URI.

x509_find_access_method()

static struct x509_access_method* x509_find_access_method ( const struct asn1_cursor *  oid )

static

Identify X.509 access method by OID.

Parameters

oid

OID

Return values

method

Access method, or NULL

Definition at line 665 of file x509.c.

                                                          {
        struct x509_access_method *method;
        unsigned int i;

        for ( i = 0 ; i < ( sizeof ( x509_access_methods ) /
                            sizeof ( x509_access_methods[0] ) ) ; i++ ) {
                method = &x509_access_methods[i];
                if ( asn1_compare ( &method->oid, oid ) == 0 )
                        return method;
        }

        return NULL;
}

References asn1_compare(), method, NULL, x509_access_method::oid, and x509_access_methods.

Referenced by x509_parse_access_description().

x509_parse_access_description()

static int x509_parse_access_description ( struct x509_certificate *  cert, const struct asn1_cursor *  raw  )

static

Parse X.509 certificate access description.

Parameters

cert	X.509 certificate
raw	ASN.1 cursor

Return values

rc	Return status code

Definition at line 686 of file x509.c.

                                                                           {
        struct asn1_cursor cursor;
        struct asn1_cursor subcursor;
        struct x509_access_method *method;
        int rc;

        /* Enter keyPurposeId */
        memcpy ( &cursor, raw, sizeof ( cursor ) );
        asn1_enter ( &cursor, ASN1_SEQUENCE );

        /* Try to identify access method */
        memcpy ( &subcursor, &cursor, sizeof ( subcursor ) );
        asn1_enter ( &subcursor, ASN1_OID );
        method = x509_find_access_method ( &subcursor );
        asn1_skip_any ( &cursor );
        DBGC2 ( cert, "X509 %p found access method %s\n",
                cert, ( method ? method->name : "<unknown>" ) );

        /* Parse access location, if applicable */
        if ( method && ( ( rc = method->parse ( cert, &cursor ) ) != 0 ) )
                return rc;

        return 0;
}

References asn1_enter(), ASN1_OID, ASN1_SEQUENCE, asn1_skip_any(), DBGC2, memcpy(), method, raw, rc, and x509_find_access_method().

Referenced by x509_parse_authority_info_access().

x509_parse_authority_info_access()

static int x509_parse_authority_info_access ( struct x509_certificate *  cert, const struct asn1_cursor *  raw  )

static

Parse X.509 certificate authority information access.

Parameters

cert	X.509 certificate
raw	ASN.1 cursor

Return values

rc	Return status code

Definition at line 719 of file x509.c.

                                                                              {
        struct asn1_cursor cursor;
        int rc;

        /* Enter authorityInfoAccess */
        memcpy ( &cursor, raw, sizeof ( cursor ) );
        asn1_enter ( &cursor, ASN1_SEQUENCE );

        /* Parse each access description in turn */
        while ( cursor.len ) {
                if ( ( rc = x509_parse_access_description ( cert,
                                                            &cursor ) ) != 0 )
                        return rc;
                asn1_skip_any ( &cursor );
        }

        return 0;
}

References asn1_enter(), ASN1_SEQUENCE, asn1_skip_any(), asn1_cursor::len, memcpy(), raw, rc, and x509_parse_access_description().

x509_parse_subject_alt_name()

static int x509_parse_subject_alt_name ( struct x509_certificate *  cert, const struct asn1_cursor *  raw  )

static

Parse X.509 certificate subject alternative name.

Parameters

cert	X.509 certificate
raw	ASN.1 cursor

Return values

rc	Return status code

Definition at line 746 of file x509.c.

                                                                         {
        struct x509_subject_alt_name *alt_name = &cert->extensions.alt_name;
        struct asn1_cursor *names = &alt_name->names;
        int rc;

        /* Enter subjectAltName */
        memcpy ( names, raw, sizeof ( *names ) );
        if ( ( rc = asn1_enter ( names, ASN1_SEQUENCE ) ) != 0 ) {
                DBGC ( cert, "X509 %p invalid subjectAltName: %s\n",
                       cert, strerror ( rc ) );
                DBGC_HDA ( cert, 0, raw->data, raw->len );
                return rc;
        }
        DBGC2 ( cert, "X509 %p has subjectAltName:\n", cert );
        DBGC2_HDA ( cert, 0, names->data, names->len );

        return 0;
}

References x509_extensions::alt_name, asn1_enter(), ASN1_SEQUENCE, asn1_cursor::data, DBGC, DBGC2, DBGC2_HDA, DBGC_HDA, x509_certificate::extensions, asn1_cursor::len, memcpy(), x509_subject_alt_name::names, raw, rc, and strerror().

x509_find_extension()

static struct x509_extension* x509_find_extension ( const struct asn1_cursor *  oid )

static

Identify X.509 extension by OID.

Parameters

oid

OID

Return values

extension

Extension, or NULL

Definition at line 822 of file x509.c.

                                                      {
        struct x509_extension *extension;
        unsigned int i;

        for ( i = 0 ; i < ( sizeof ( x509_extensions ) /
                            sizeof ( x509_extensions[0] ) ) ; i++ ) {
                extension = &x509_extensions[i];
                if ( asn1_compare ( &extension->oid, oid ) == 0 )
                        return extension;
        }

        return NULL;
}

References asn1_compare(), NULL, x509_extension::oid, and x509_extensions.

Referenced by x509_parse_extension().

x509_parse_extension()

static int x509_parse_extension ( struct x509_certificate *  cert, const struct asn1_cursor *  raw  )

static

Parse X.509 certificate extension.

Parameters

cert	X.509 certificate
raw	ASN.1 cursor

Return values

rc	Return status code

Definition at line 843 of file x509.c.

                                                                  {
        struct asn1_cursor cursor;
        struct asn1_cursor subcursor;
        struct x509_extension *extension;
        int is_critical = 0;
        int rc;

        /* Enter extension */
        memcpy ( &cursor, raw, sizeof ( cursor ) );
        asn1_enter ( &cursor, ASN1_SEQUENCE );

        /* Try to identify extension */
        memcpy ( &subcursor, &cursor, sizeof ( subcursor ) );
        asn1_enter ( &subcursor, ASN1_OID );
        extension = x509_find_extension ( &subcursor );
        asn1_skip_any ( &cursor );
        DBGC2 ( cert, "X509 %p found extension %s\n",
                cert, ( extension ? extension->name : "<unknown>" ) );

        /* Identify criticality */
        if ( asn1_type ( &cursor ) == ASN1_BOOLEAN ) {
                is_critical = asn1_boolean ( &cursor );
                if ( is_critical < 0 ) {
                        rc = is_critical;
                        DBGC ( cert, "X509 %p cannot parse extension "
                               "criticality: %s\n", cert, strerror ( rc ) );
                        DBGC_HDA ( cert, 0, raw->data, raw->len );
                        return rc;
                }
                asn1_skip_any ( &cursor );
        }

        /* Handle unknown extensions */
        if ( ! extension ) {
                if ( is_critical ) {
                        /* Fail if we cannot handle a critical extension */
                        DBGC ( cert, "X509 %p cannot handle critical "
                               "extension:\n", cert );
                        DBGC_HDA ( cert, 0, raw->data, raw->len );
                        return -ENOTSUP_EXTENSION;
                } else {
                        /* Ignore unknown non-critical extensions */
                        return 0;
                }
        };

        /* Extract extnValue */
        if ( ( rc = asn1_enter ( &cursor, ASN1_OCTET_STRING ) ) != 0 ) {
                DBGC ( cert, "X509 %p extension missing extnValue:\n", cert );
                DBGC_HDA ( cert, 0, raw->data, raw->len );
                return rc;
        }

        /* Parse extension */
        if ( ( rc = extension->parse ( cert, &cursor ) ) != 0 )
                return rc;

        return 0;
}

References ASN1_BOOLEAN, asn1_boolean(), asn1_enter(), ASN1_OCTET_STRING, ASN1_OID, ASN1_SEQUENCE, asn1_skip_any(), asn1_type(), DBGC, DBGC2, DBGC_HDA, ENOTSUP_EXTENSION, memcpy(), x509_extension::name, x509_extension::parse, raw, rc, strerror(), and x509_find_extension().

Referenced by x509_parse_extensions().

x509_parse_extensions()

static int x509_parse_extensions ( struct x509_certificate *  cert, const struct asn1_cursor *  raw  )

static

Parse X.509 certificate extensions, if present.

Parameters

cert	X.509 certificate
raw	ASN.1 cursor

Return values

rc	Return status code

Definition at line 911 of file x509.c.

                                                                   {
        struct asn1_cursor cursor;
        int rc;

        /* Enter extensions, if present */
        memcpy ( &cursor, raw, sizeof ( cursor ) );
        asn1_enter ( &cursor, ASN1_EXPLICIT_TAG ( 3 ) );
        asn1_enter ( &cursor, ASN1_SEQUENCE );

        /* Parse each extension in turn */
        while ( cursor.len ) {
                if ( ( rc = x509_parse_extension ( cert, &cursor ) ) != 0 )
                        return rc;
                asn1_skip_any ( &cursor );
        }

        return 0;
}

References asn1_enter(), ASN1_EXPLICIT_TAG, ASN1_SEQUENCE, asn1_skip_any(), asn1_cursor::len, memcpy(), raw, rc, and x509_parse_extension().

Referenced by x509_parse_tbscertificate().

x509_parse_tbscertificate()

static int x509_parse_tbscertificate ( struct x509_certificate *  cert, const struct asn1_cursor *  raw  )

static

Parse X.509 certificate tbsCertificate.

Parameters

cert	X.509 certificate
raw	ASN.1 cursor

Return values

rc	Return status code

Definition at line 938 of file x509.c.

                                                                       {
        struct asn1_algorithm **algorithm = &cert->signature_algorithm;
        struct asn1_cursor cursor;
        int rc;

        /* Record raw tbsCertificate */
        memcpy ( &cursor, raw, sizeof ( cursor ) );
        asn1_shrink_any ( &cursor );
        memcpy ( &cert->tbs, &cursor, sizeof ( cert->tbs ) );

        /* Enter tbsCertificate */
        asn1_enter ( &cursor, ASN1_SEQUENCE );

        /* Parse version, if present */
        if ( asn1_type ( &cursor ) == ASN1_EXPLICIT_TAG ( 0 ) ) {
                if ( ( rc = x509_parse_version ( cert, &cursor ) ) != 0 )
                        return rc;
                asn1_skip_any ( &cursor );
        }

        /* Parse serialNumber */
        if ( ( rc = x509_parse_serial ( cert, &cursor ) ) != 0 )
                return rc;
        asn1_skip_any ( &cursor );

        /* Parse signature */
        if ( ( rc = asn1_signature_algorithm ( &cursor, algorithm ) ) != 0 ) {
                DBGC ( cert, "X509 %p could not parse signature algorithm: "
                       "%s\n", cert, strerror ( rc ) );
                return rc;
        }
        DBGC2 ( cert, "X509 %p tbsCertificate signature algorithm is %s\n",
                cert, (*algorithm)->name );
        asn1_skip_any ( &cursor );

        /* Parse issuer */
        if ( ( rc = x509_parse_issuer ( cert, &cursor ) ) != 0 )
                return rc;
        asn1_skip_any ( &cursor );

        /* Parse validity */
        if ( ( rc = x509_parse_validity ( cert, &cursor ) ) != 0 )
                return rc;
        asn1_skip_any ( &cursor );

        /* Parse subject */
        if ( ( rc = x509_parse_subject ( cert, &cursor ) ) != 0 )
                return rc;
        asn1_skip_any ( &cursor );

        /* Parse subjectPublicKeyInfo */
        if ( ( rc = x509_parse_public_key ( cert, &cursor ) ) != 0 )
                return rc;
        asn1_skip_any ( &cursor );

        /* Parse extensions, if present */
        if ( ( rc = x509_parse_extensions ( cert, &cursor ) ) != 0 )
                return rc;

        return 0;
}

References algorithm, asn1_enter(), ASN1_EXPLICIT_TAG, ASN1_SEQUENCE, asn1_shrink_any(), asn1_signature_algorithm(), asn1_skip_any(), asn1_type(), DBGC, DBGC2, memcpy(), raw, rc, x509_certificate::signature_algorithm, strerror(), x509_certificate::tbs, x509_parse_extensions(), x509_parse_issuer(), x509_parse_public_key(), x509_parse_serial(), x509_parse_subject(), x509_parse_validity(), and x509_parse_version().

Referenced by x509_parse().

x509_parse()

int x509_parse	(	struct x509_certificate *	cert,
		const struct asn1_cursor *	raw
	)

Parse X.509 certificate from ASN.1 data.

Parameters

cert	X.509 certificate
raw	ASN.1 cursor

Return values

rc	Return status code

Definition at line 1008 of file x509.c.

                                                 {
        struct x509_signature *signature = &cert->signature;
        struct asn1_algorithm **signature_algorithm = &signature->algorithm;
        struct asn1_cursor *signature_value = &signature->value;
        struct asn1_cursor cursor;
        int rc;

        /* Record raw certificate */
        memcpy ( &cursor, raw, sizeof ( cursor ) );
        memcpy ( &cert->raw, &cursor, sizeof ( cert->raw ) );

        /* Enter certificate */
        asn1_enter ( &cursor, ASN1_SEQUENCE );

        /* Parse tbsCertificate */
        if ( ( rc = x509_parse_tbscertificate ( cert, &cursor ) ) != 0 )
                return rc;
        asn1_skip_any ( &cursor );

        /* Parse signatureAlgorithm */
        if ( ( rc = asn1_signature_algorithm ( &cursor,
                                               signature_algorithm ) ) != 0 ) {
                DBGC ( cert, "X509 %p could not parse signature algorithm: "
                       "%s\n", cert, strerror ( rc ) );
                return rc;
        }
        DBGC2 ( cert, "X509 %p signatureAlgorithm is %s\n",
                cert, (*signature_algorithm)->name );
        asn1_skip_any ( &cursor );

        /* Parse signatureValue */
        memcpy ( signature_value, &cursor, sizeof ( *signature_value ) );
        if ( ( rc = asn1_enter_bits ( signature_value, NULL ) ) != 0 ) {
                DBGC ( cert, "X509 %p could not parse signature value: %s\n",
                       cert, strerror ( rc ) );
                return rc;
        }
        DBGC2 ( cert, "X509 %p signatureValue is:\n", cert );
        DBGC2_HDA ( cert, 0, signature_value->data, signature_value->len );

        /* Check that algorithm in tbsCertificate matches algorithm in
         * signature
         */
        if ( signature->algorithm != (*signature_algorithm) ) {
                DBGC ( cert, "X509 %p signature algorithm %s does not match "
                       "signatureAlgorithm %s\n",
                       cert, signature->algorithm->name,
                       (*signature_algorithm)->name );
                return -EINVAL_ALGORITHM_MISMATCH;
        }

        return 0;
}

References asn1_enter(), asn1_enter_bits(), ASN1_SEQUENCE, asn1_signature_algorithm(), asn1_skip_any(), asn1_cursor::data, DBGC, DBGC2, DBGC2_HDA, EINVAL_ALGORITHM_MISMATCH, asn1_cursor::len, memcpy(), NULL, raw, x509_certificate::raw, rc, signature, x509_certificate::signature, strerror(), and x509_parse_tbscertificate().

Referenced by certstore_init(), and x509_certificate().

x509_certificate()

int x509_certificate	(	const void *	data,
		size_t	len,
		struct x509_certificate **	cert
	)

Create X.509 certificate.

Parameters

data	Raw certificate data
len	Length of raw data

Return values

cert	X.509 certificate
rc	Return status code

On success, the caller holds a reference to the X.509 certificate, and is responsible for ultimately calling x509_put().

Definition at line 1074 of file x509.c.

                                                        {
        struct asn1_cursor cursor;
        void *raw;
        int rc;

        /* Initialise cursor */
        cursor.data = data;
        cursor.len = len;
        asn1_shrink_any ( &cursor );

        /* Return stored certificate, if present */
        if ( ( *cert = x509_find ( NULL, &cursor ) ) != NULL ) {

                /* Add caller's reference */
                x509_get ( *cert );
                return 0;
        }

        /* Allocate and initialise certificate */
        *cert = zalloc ( sizeof ( **cert ) + cursor.len );
        if ( ! *cert )
                return -ENOMEM;
        ref_init ( &(*cert)->refcnt, x509_free );
        raw = ( *cert + 1 );

        /* Copy raw data */
        memcpy ( raw, cursor.data, cursor.len );
        cursor.data = raw;

        /* Parse certificate */
        if ( ( rc = x509_parse ( *cert, &cursor ) ) != 0 ) {
                x509_put ( *cert );
                *cert = NULL;
                return rc;
        }

        /* Add certificate to store */
        certstore_add ( *cert );

        return 0;
}

References asn1_shrink_any(), certstore_add(), data, asn1_cursor::data, ENOMEM, asn1_cursor::len, len, memcpy(), NULL, raw, rc, ref_init, x509_find(), x509_free(), x509_get(), x509_parse(), x509_put(), and zalloc().

x509_check_signature()

static int x509_check_signature ( struct x509_certificate *  cert, struct x509_public_key *  public_key  )

static

Check X.509 certificate signature.

Parameters

cert	X.509 certificate
public_key	X.509 public key

Return values

rc	Return status code

Definition at line 1124 of file x509.c.

                                                                       {
        struct x509_signature *signature = &cert->signature;
        struct asn1_algorithm *algorithm = signature->algorithm;
        struct digest_algorithm *digest = algorithm->digest;
        struct pubkey_algorithm *pubkey = algorithm->pubkey;
        uint8_t digest_ctx[ digest->ctxsize ];
        uint8_t digest_out[ digest->digestsize ];
        int rc;

        /* Sanity check */
        assert ( cert->signature_algorithm == cert->signature.algorithm );

        /* Calculate certificate digest */
        digest_init ( digest, digest_ctx );
        digest_update ( digest, digest_ctx, cert->tbs.data, cert->tbs.len );
        digest_final ( digest, digest_ctx, digest_out );
        DBGC2 ( cert, "X509 %p \"%s\" digest:\n", cert, x509_name ( cert ) );
        DBGC2_HDA ( cert, 0, digest_out, sizeof ( digest_out ) );

        /* Check that signature public key algorithm matches signer */
        if ( public_key->algorithm->pubkey != pubkey ) {
                DBGC ( cert, "X509 %p \"%s\" signature algorithm %s does not "
                       "match signer's algorithm %s\n",
                       cert, x509_name ( cert ), algorithm->name,
                       public_key->algorithm->name );
                rc = -EINVAL_ALGORITHM_MISMATCH;
                goto err_mismatch;
        }

        /* Verify signature using signer's public key */
        if ( ( rc = pubkey_verify ( pubkey, &public_key->raw, digest,
                                    digest_out, &signature->value ) ) != 0 ) {
                DBGC ( cert, "X509 %p \"%s\" signature verification failed: "
                       "%s\n", cert, x509_name ( cert ), strerror ( rc ) );
                goto err_pubkey_verify;
        }

        /* Success */
        rc = 0;

 err_pubkey_verify:
 err_mismatch:
        return rc;
}

References x509_public_key::algorithm, x509_signature::algorithm, algorithm, assert(), digest_algorithm::ctxsize, asn1_cursor::data, DBGC, DBGC2, DBGC2_HDA, digest_final(), digest_init(), digest_update(), digest_algorithm::digestsize, EINVAL_ALGORITHM_MISMATCH, asn1_cursor::len, asn1_algorithm::name, asn1_algorithm::pubkey, pubkey_verify(), x509_public_key::raw, rc, signature, x509_certificate::signature, x509_certificate::signature_algorithm, strerror(), x509_certificate::tbs, and x509_name().

Referenced by x509_check_issuer().

x509_check_issuer()

int x509_check_issuer	(	struct x509_certificate *	cert,
		struct x509_certificate *	issuer
	)

Check X.509 certificate against issuer certificate.

Parameters

cert	X.509 certificate
issuer	X.509 issuer certificate

Return values

rc	Return status code

Definition at line 1177 of file x509.c.

                                                          {
        struct x509_public_key *public_key = &issuer->subject.public_key;
        int rc;

        /* Check issuer.  In theory, this should be a full X.500 DN
         * comparison, which would require support for a plethora of
         * abominations such as TeletexString (which allows the
         * character set to be changed mid-string using escape codes).
         * In practice, we assume that anyone who deliberately changes
         * the encoding of the issuer DN is probably a masochist who
         * will rather enjoy the process of figuring out exactly why
         * their certificate doesn't work.
         *
         * See http://www.cs.auckland.ac.nz/~pgut001/pubs/x509guide.txt
         * for some enjoyable ranting on this subject.
         */
        if ( asn1_compare ( &cert->issuer.raw, &issuer->subject.raw ) != 0 ) {
                DBGC ( cert, "X509 %p \"%s\" issuer does not match ",
                       cert, x509_name ( cert ) );
                DBGC ( cert, "X509 %p \"%s\" subject\n",
                       issuer, x509_name ( issuer ) );
                DBGC_HDA ( cert, 0, cert->issuer.raw.data,
                           cert->issuer.raw.len );
                DBGC_HDA ( issuer, 0, issuer->subject.raw.data,
                           issuer->subject.raw.len );
                return -EACCES_WRONG_ISSUER;
        }

        /* Check that issuer is allowed to sign certificates */
        if ( ! issuer->extensions.basic.ca ) {
                DBGC ( issuer, "X509 %p \"%s\" cannot sign ",
                       issuer, x509_name ( issuer ) );
                DBGC ( issuer, "X509 %p \"%s\": not a CA certificate\n",
                       cert, x509_name ( cert ) );
                return -EACCES_NOT_CA;
        }
        if ( issuer->extensions.usage.present &&
             ( ! ( issuer->extensions.usage.bits & X509_KEY_CERT_SIGN ) ) ) {
                DBGC ( issuer, "X509 %p \"%s\" cannot sign ",
                       issuer, x509_name ( issuer ) );
                DBGC ( issuer, "X509 %p \"%s\": no keyCertSign usage\n",
                       cert, x509_name ( cert ) );
                return -EACCES_KEY_USAGE;
        }

        /* Check signature */
        if ( ( rc = x509_check_signature ( cert, public_key ) ) != 0 )
                return rc;

        return 0;
}

References asn1_compare(), x509_extensions::basic, x509_key_usage::bits, x509_basic_constraints::ca, asn1_cursor::data, DBGC, DBGC_HDA, EACCES_KEY_USAGE, EACCES_NOT_CA, EACCES_WRONG_ISSUER, x509_certificate::extensions, x509_certificate::issuer, asn1_cursor::len, x509_key_usage::present, x509_subject::public_key, x509_subject::raw, x509_issuer::raw, rc, x509_certificate::subject, x509_extensions::usage, x509_check_signature(), X509_KEY_CERT_SIGN, and x509_name().

Referenced by x509_check_issuer_fail_okx(), x509_check_issuer_okx(), and x509_validate().

x509_fingerprint()

void x509_fingerprint	(	struct x509_certificate *	cert,
		struct digest_algorithm *	digest,
		void *	fingerprint
	)

Calculate X.509 certificate fingerprint.

Parameters

cert	X.509 certificate
digest	Digest algorithm
fingerprint	Fingerprint buffer

Definition at line 1237 of file x509.c.

                                            {
        uint8_t ctx[ digest->ctxsize ];

        /* Calculate fingerprint */
        digest_init ( digest, ctx );
        digest_update ( digest, ctx, cert->raw.data, cert->raw.len );
        digest_final ( digest, ctx, fingerprint );
}

References ctx, digest_algorithm::ctxsize, asn1_cursor::data, digest_final(), digest_init(), digest_update(), asn1_cursor::len, and x509_certificate::raw.

Referenced by certstat(), icert_certs(), x509_check_root(), x509_fingerprint_okx(), and x509_name().

x509_check_root()

int x509_check_root	(	struct x509_certificate *	cert,
		struct x509_root *	root
	)

Check X.509 root certificate.

Parameters

cert	X.509 certificate
root	X.509 root certificate list

Return values

rc	Return status code

Definition at line 1255 of file x509.c.

                                                                              {
        struct digest_algorithm *digest = root->digest;
        uint8_t fingerprint[ digest->digestsize ];
        const uint8_t *root_fingerprint = root->fingerprints;
        unsigned int i;

        /* Calculate certificate fingerprint */
        x509_fingerprint ( cert, digest, fingerprint );

        /* Check fingerprint against all root certificates */
        for ( i = 0 ; i < root->count ; i++ ) {
                if ( memcmp ( fingerprint, root_fingerprint,
                              sizeof ( fingerprint ) ) == 0 ) {
                        DBGC ( cert, "X509 %p \"%s\" is a root certificate\n",
                               cert, x509_name ( cert ) );
                        return 0;
                }
                root_fingerprint += sizeof ( fingerprint );
        }

        DBGC2 ( cert, "X509 %p \"%s\" is not a root certificate\n",
                cert, x509_name ( cert ) );
        return -ENOENT;
}

References DBGC, DBGC2, digest_algorithm::digestsize, ENOENT, memcmp(), root, x509_fingerprint(), and x509_name().

Referenced by x509_check_root_fail_okx(), x509_check_root_okx(), and x509_validate().

x509_check_time()

int x509_check_time	(	struct x509_certificate *	cert,
		time_t	time
	)

Check X.509 certificate validity period.

Parameters

cert	X.509 certificate
time	Time at which to check certificate

Return values

rc	Return status code

Definition at line 1287 of file x509.c.

                                                                   {
        struct x509_validity *validity = &cert->validity;

        /* Check validity period */
        if ( validity->not_before.time > ( time + TIMESTAMP_ERROR_MARGIN ) ) {
                DBGC ( cert, "X509 %p \"%s\" is not yet valid (at time %lld)\n",
                       cert, x509_name ( cert ), time );
                return -EACCES_EXPIRED;
        }
        if ( validity->not_after.time < ( time - TIMESTAMP_ERROR_MARGIN ) ) {
                DBGC ( cert, "X509 %p \"%s\" has expired (at time %lld)\n",
                       cert, x509_name ( cert ), time );
                return -EACCES_EXPIRED;
        }

        DBGC2 ( cert, "X509 %p \"%s\" is valid (at time %lld)\n",
                cert, x509_name ( cert ), time );
        return 0;
}

References DBGC, DBGC2, EACCES_EXPIRED, x509_validity::not_after, x509_validity::not_before, x509_time::time, TIMESTAMP_ERROR_MARGIN, x509_certificate::validity, and x509_name().

Referenced by x509_check_time_fail_okx(), x509_check_time_okx(), and x509_validate().

x509_is_valid()

int x509_is_valid	(	struct x509_certificate *	cert,
		struct x509_root *	root
	)

Check if X.509 certificate is valid.

Parameters

cert	X.509 certificate
root	Root certificate list, or NULL to use default

Definition at line 1313 of file x509.c.

                                                                            {

        /* Use default root certificate store if none specified */
        if ( ! root )
                root = &root_certificates;

        return ( cert->root == root );
}

References root, x509_certificate::root, and root_certificates.

Referenced by certstat(), ipair_window_changed(), validator_step(), x509_validate(), and x509_validate_chain_okx().

x509_set_valid()

void x509_set_valid	(	struct x509_certificate *	cert,
		struct x509_certificate *	issuer,
		struct x509_root *	root
	)

Set X.509 certificate as validated.

Parameters

cert	X.509 certificate
issuer	Issuing X.509 certificate (or NULL)
root	Root certificate list

Definition at line 1329 of file x509.c.

                                               {
        unsigned int max_path_remaining;

        /* Sanity checks */
        assert ( root != NULL );
        assert ( ( issuer == NULL ) || ( issuer->path_remaining >= 1 ) );

        /* Record validation root */
        x509_root_put ( cert->root );
        cert->root = x509_root_get ( root );

        /* Calculate effective path length */
        cert->path_remaining = ( cert->extensions.basic.path_len + 1 );
        if ( issuer ) {
                max_path_remaining = ( issuer->path_remaining - 1 );
                if ( cert->path_remaining > max_path_remaining )
                        cert->path_remaining = max_path_remaining;
        }
}

References assert(), x509_extensions::basic, x509_certificate::extensions, NULL, x509_basic_constraints::path_len, x509_certificate::path_remaining, root, x509_certificate::root, x509_root_get(), and x509_root_put().

Referenced by efi_cacert(), and x509_validate().

x509_validate()

int x509_validate	(	struct x509_certificate *	cert,
		struct x509_certificate *	issuer,
		time_t	time,
		struct x509_root *	root
	)

Validate X.509 certificate.

Parameters

cert	X.509 certificate
issuer	Issuing X.509 certificate (or NULL)
time	Time at which to validate certificate
root	Root certificate list, or NULL to use default

Return values

rc	Return status code

The issuing certificate must have already been validated.

Validation results are cached: if a certificate has already been successfully validated then issuer, time, and root will be ignored.

Definition at line 1366 of file x509.c.

                                                          {
        int rc;

        /* Use default root certificate store if none specified */
        if ( ! root )
                root = &root_certificates;

        /* Return success if certificate has already been validated */
        if ( x509_is_valid ( cert, root ) )
                return 0;

        /* Fail if certificate is invalid at specified time */
        if ( ( rc = x509_check_time ( cert, time ) ) != 0 )
                return rc;

        /* Succeed if certificate is a trusted root certificate */
        if ( x509_check_root ( cert, root ) == 0 ) {
                x509_set_valid ( cert, NULL, root );
                return 0;
        }

        /* Fail unless we have an issuer */
        if ( ! issuer ) {
                DBGC2 ( cert, "X509 %p \"%s\" has no trusted issuer\n",
                        cert, x509_name ( cert ) );
                return -EACCES_UNTRUSTED;
        }

        /* Fail unless issuer has already been validated */
        if ( ! x509_is_valid ( issuer, root ) ) {
                DBGC ( cert, "X509 %p \"%s\" ", cert, x509_name ( cert ) );
                DBGC ( cert, "issuer %p \"%s\" has not yet been validated\n",
                       issuer, x509_name ( issuer ) );
                return -EACCES_OUT_OF_ORDER;
        }

        /* Fail if issuing certificate cannot validate this certificate */
        if ( ( rc = x509_check_issuer ( cert, issuer ) ) != 0 )
                return rc;

        /* Fail if path length constraint is violated */
        if ( issuer->path_remaining == 0 ) {
                DBGC ( cert, "X509 %p \"%s\" ", cert, x509_name ( cert ) );
                DBGC ( cert, "issuer %p \"%s\" path length exceeded\n",
                       issuer, x509_name ( issuer ) );
                return -EACCES_PATH_LEN;
        }

        /* Fail if OCSP is required */
        if ( ocsp_required ( cert ) ) {
                DBGC ( cert, "X509 %p \"%s\" requires an OCSP check\n",
                       cert, x509_name ( cert ) );
                return -EACCES_OCSP_REQUIRED;
        }

        /* Mark certificate as valid */
        x509_set_valid ( cert, issuer, root );

        DBGC ( cert, "X509 %p \"%s\" successfully validated using ",
               cert, x509_name ( cert ) );
        DBGC ( cert, "issuer %p \"%s\"\n", issuer, x509_name ( issuer ) );
        return 0;
}

References DBGC, DBGC2, EACCES_OCSP_REQUIRED, EACCES_OUT_OF_ORDER, EACCES_PATH_LEN, EACCES_UNTRUSTED, NULL, ocsp_required(), x509_certificate::path_remaining, rc, root, root_certificates, x509_check_issuer(), x509_check_root(), x509_check_time(), x509_is_valid(), x509_name(), and x509_set_valid().

Referenced by ocsp_validate(), and x509_validate_chain().

x509_check_dnsname()

static int x509_check_dnsname ( struct x509_certificate *  cert, const struct asn1_cursor *  raw, const char *  name  )

static

Check X.509 certificate alternative dNSName.

Parameters

cert	X.509 certificate
raw	ASN.1 cursor
name	Name

Return values

rc	Return status code

Definition at line 1440 of file x509.c.

                                                   {
        const char *fullname = name;
        const char *dnsname = raw->data;
        size_t len = raw->len;

        /* Check for wildcards */
        if ( ( len >= 2 ) && ( dnsname[0] == '*' ) && ( dnsname[1] == '.' ) ) {

                /* Skip initial "*." */
                dnsname += 2;
                len -= 2;

                /* Skip initial portion of name to be tested */
                name = strchr ( name, '.' );
                if ( ! name )
                        return -ENOENT;
                name++;
        }

        /* Compare names */
        if ( ! ( ( strlen ( name ) == len ) &&
                 ( strncasecmp ( name, dnsname, len ) == 0 ) ) )
                return -ENOENT;

        if ( name != fullname ) {
                DBGC2 ( cert, "X509 %p \"%s\" found wildcard match for "
                        "\"*.%s\"\n", cert, x509_name ( cert ), name );
        }
        return 0;
}

References DBGC2, ENOENT, len, name, raw, strchr(), strlen(), strncasecmp(), and x509_name().

Referenced by x509_check_alt_name(), and x509_check_name().

x509_check_ipaddress()

static int x509_check_ipaddress ( struct x509_certificate *  cert, const struct asn1_cursor *  raw, const char *  name  )

static

Check X.509 certificate alternative iPAddress.

Parameters

cert	X.509 certificate
raw	ASN.1 cursor
name	Name

Return values

rc	Return status code

Definition at line 1481 of file x509.c.

                                                     {
        struct sockaddr sa;
        sa_family_t family;
        const void *address;
        int rc;

        /* Determine address family */
        if ( raw->len == sizeof ( struct in_addr ) ) {
                struct sockaddr_in *sin = ( ( struct sockaddr_in * ) &sa );
                family = AF_INET;
                address = &sin->sin_addr;
        } else if ( raw->len == sizeof ( struct in6_addr ) ) {
                struct sockaddr_in6 *sin6 = ( ( struct sockaddr_in6 * ) &sa );
                family = AF_INET6;
                address = &sin6->sin6_addr;
        } else {
                DBGC ( cert, "X509 %p \"%s\" has iPAddress with unexpected "
                       "length %zd\n", cert, x509_name ( cert ), raw->len );
                DBGC_HDA ( cert, 0, raw->data, raw->len );
                return -EINVAL;
        }

        /* Attempt to convert name to a socket address */
        if ( ( rc = sock_aton ( name, &sa ) ) != 0 ) {
                DBGC2 ( cert, "X509 %p \"%s\" cannot parse \"%s\" as "
                        "iPAddress: %s\n", cert, x509_name ( cert ), name,
                        strerror ( rc ) );
                return rc;
        }
        if ( sa.sa_family != family )
                return -ENOENT;

        /* Compare addresses */
        if ( memcmp ( address, raw->data, raw->len ) != 0 )
                return -ENOENT;

        DBGC2 ( cert, "X509 %p \"%s\" found iPAddress match for \"%s\"\n",
                cert, x509_name ( cert ), sock_ntoa ( &sa ) );
        return 0;
}

References address, AF_INET, AF_INET6, DBGC, DBGC2, DBGC_HDA, EINVAL, ENOENT, memcmp(), name, raw, rc, sa, sockaddr::sa_family, sin, sin6, sockaddr_in6::sin6_addr, sockaddr_in::sin_addr, sock_aton(), sock_ntoa(), strerror(), and x509_name().

Referenced by x509_check_alt_name().

x509_check_alt_name()

static int x509_check_alt_name ( struct x509_certificate *  cert, const struct asn1_cursor *  raw, const char *  name  )

static

Check X.509 certificate alternative name.

Parameters

cert	X.509 certificate
raw	ASN.1 cursor
name	Name

Return values

rc	Return status code

Definition at line 1532 of file x509.c.

                                                    {
        struct asn1_cursor alt_name;
        unsigned int type;

        /* Enter generalName */
        memcpy ( &alt_name, raw, sizeof ( alt_name ) );
        type = asn1_type ( &alt_name );
        asn1_enter_any ( &alt_name );

        /* Check this name */
        switch ( type ) {
        case X509_GENERAL_NAME_DNS :
                return x509_check_dnsname ( cert, &alt_name, name );
        case X509_GENERAL_NAME_IP :
                return x509_check_ipaddress ( cert, &alt_name, name );
        default:
                DBGC2 ( cert, "X509 %p \"%s\" unknown name of type %#02x:\n",
                        cert, x509_name ( cert ), type );
                DBGC2_HDA ( cert, 0, alt_name.data, alt_name.len );
                return -ENOTSUP;
        }
}

References asn1_enter_any(), asn1_type(), asn1_cursor::data, DBGC2, DBGC2_HDA, ENOTSUP, asn1_cursor::len, memcpy(), name, raw, type, x509_check_dnsname(), x509_check_ipaddress(), X509_GENERAL_NAME_DNS, X509_GENERAL_NAME_IP, and x509_name().

Referenced by x509_check_name().

x509_check_name()

int x509_check_name	(	struct x509_certificate *	cert,
		const char *	name
	)

Check X.509 certificate name.

Parameters

cert	X.509 certificate
name	Name

Return values

rc	Return status code

Definition at line 1564 of file x509.c.

                                                                        {
        struct asn1_cursor *common_name = &cert->subject.common_name;
        struct asn1_cursor alt_name;
        int rc;

        /* Check commonName */
        if ( x509_check_dnsname ( cert, common_name, name ) == 0 ) {
                DBGC2 ( cert, "X509 %p \"%s\" commonName matches \"%s\"\n",
                        cert, x509_name ( cert ), name );
                return 0;
        }

        /* Check any subjectAlternativeNames */
        memcpy ( &alt_name, &cert->extensions.alt_name.names,
                 sizeof ( alt_name ) );
        for ( ; alt_name.len ; asn1_skip_any ( &alt_name ) ) {
                if ( ( rc = x509_check_alt_name ( cert, &alt_name,
                                                  name ) ) == 0 ) {
                        DBGC2 ( cert, "X509 %p \"%s\" subjectAltName matches "
                                "\"%s\"\n", cert, x509_name ( cert ), name );
                        return 0;
                }
        }

        DBGC ( cert, "X509 %p \"%s\" does not match name \"%s\"\n",
               cert, x509_name ( cert ), name );
        return -EACCES_WRONG_NAME;
}

References x509_extensions::alt_name, asn1_skip_any(), x509_subject::common_name, DBGC, DBGC2, EACCES_WRONG_NAME, x509_certificate::extensions, asn1_cursor::len, memcpy(), name, x509_subject_alt_name::names, rc, x509_certificate::subject, x509_check_alt_name(), x509_check_dnsname(), and x509_name().

Referenced by cert_exec(), cms_verify(), tls_validator_done(), x509_check_name_fail_okx(), and x509_check_name_okx().

x509_free_chain()

static void x509_free_chain ( struct refcnt *  refcnt )

static

Free X.509 certificate chain.

Parameters

refcnt

Reference count

Definition at line 1598 of file x509.c.

                                                      {
        struct x509_chain *chain =
                container_of ( refcnt, struct x509_chain, refcnt );

        DBGC2 ( chain, "X509 chain %p freed\n", chain );

        /* Free chain */
        x509_truncate ( chain, NULL );
        assert ( list_empty ( &chain->links ) );
        free ( chain );
}

References assert(), container_of, DBGC2, free, x509_chain::links, list_empty, NULL, and x509_truncate().

Referenced by x509_alloc_chain().

x509_alloc_chain()

struct x509_chain* x509_alloc_chain

(

void

)

Allocate X.509 certificate chain.

Return values

chain

X.509 certificate chain, or NULL

Definition at line 1615 of file x509.c.

                                              {
        struct x509_chain *chain;

        /* Allocate chain */
        chain = zalloc ( sizeof ( *chain ) );
        if ( ! chain )
                return NULL;

        /* Initialise chain */
        ref_init ( &chain->refcnt, x509_free_chain );
        INIT_LIST_HEAD ( &chain->links );

        DBGC2 ( chain, "X509 chain %p allocated\n", chain );
        return chain;
}

References DBGC2, INIT_LIST_HEAD, x509_chain::links, NULL, ref_init, x509_chain::refcnt, x509_free_chain(), and zalloc().

Referenced by cms_parse_participants(), cms_parse_signed(), tls_new_certificate_request(), tls_parse_chain(), validator_append(), and x509_chain_okx().

x509_append()

int x509_append	(	struct x509_chain *	chain,
		struct x509_certificate *	cert
	)

Append X.509 certificate to X.509 certificate chain.

Parameters

chain	X.509 certificate chain
cert	X.509 certificate

Return values

rc	Return status code

Definition at line 1638 of file x509.c.

                                                                            {
        struct x509_link *link;
        int rc;

        /* Ensure allocation of link cannot invalidate certificate */
        x509_get ( cert );

        /* Allocate link */
        link = zalloc ( sizeof ( *link ) );
        if ( ! link ) {
                rc = -ENOMEM;
                goto err_alloc;
        }

        /* Add link to chain */
        link->cert = x509_get ( cert );
        list_add_tail ( &link->list, &chain->links );
        DBGC ( chain, "X509 chain %p added X509 %p \"%s\"\n",
               chain, cert, x509_name ( cert ) );

        /* Success */
        rc = 0;

        x509_put ( cert );
 err_alloc:
        return rc;
}

References x509_link::cert, DBGC, ENOMEM, link, x509_chain::links, list_add_tail, rc, x509_get(), x509_name(), x509_put(), and zalloc().

Referenced by cms_parse_identifier(), tls_new_certificate_request(), x509_append_raw(), x509_auto_append(), and x509_chain_okx().

x509_append_raw()

int x509_append_raw	(	struct x509_chain *	chain,
		const void *	data,
		size_t	len
	)

Append X.509 certificate to X.509 certificate chain.

Parameters

chain	X.509 certificate chain
data	Raw certificate data
len	Length of raw data

Return values

rc	Return status code

Definition at line 1674 of file x509.c.

                                   {
        struct x509_certificate *cert;
        int rc;

        /* Parse certificate */
        if ( ( rc = x509_certificate ( data, len, &cert ) ) != 0 )
                goto err_parse;

        /* Append certificate to chain */
        if ( ( rc = x509_append ( chain, cert ) ) != 0 )
                goto err_append;

        /* Drop reference to certificate */
        x509_put ( cert );

        return 0;

 err_append:
        x509_put ( cert );
 err_parse:
        return rc;
}

References data, len, rc, x509_append(), and x509_put().

Referenced by cms_parse_certificates(), efi_cacert(), tls_parse_chain(), and validator_append().

x509_truncate()

void x509_truncate	(	struct x509_chain *	chain,
		struct x509_link *	link
	)

Truncate X.509 certificate chain.

Parameters

chain	X.509 certificate chain
link	Link after which to truncate chain, or NULL

Definition at line 1704 of file x509.c.

                                                                        {
        struct x509_link *tmp;

        /* Truncate entire chain if no link is specified */
        if ( ! link )
                link = list_entry ( &chain->links, struct x509_link, list );

        /* Free each link in the chain */
        list_for_each_entry_safe_continue ( link, tmp, &chain->links, list ) {
                x509_put ( link->cert );
                list_del ( &link->list );
                free ( link );
        }
}

References free, link, x509_chain::links, x509_link::list, list_del, list_entry, list_for_each_entry_safe_continue, tmp, and x509_put().

Referenced by efi_cacert_shutdown(), validator_append(), x509_free_chain(), and x509_test_exec().

x509_found()

static struct x509_certificate* x509_found ( struct x509_chain *  store, struct x509_certificate *  cert  )

static

Mark X.509 certificate as found.

Parameters

store	Certificate store
cert	X.509 certificate

Return values

cert	X.509 certificate

Definition at line 1726 of file x509.c.

                                                                              {

        /* Sanity check */
        assert ( store != NULL );

        /* Mark as found, if applicable */
        if ( store->found )
                store->found ( store, cert );

        return cert;
}

References assert(), NULL, and x509_certificate::store.

Referenced by x509_find(), x509_find_issuer_serial(), x509_find_key(), and x509_find_subject().

x509_find()

struct x509_certificate* x509_find	(	struct x509_chain *	store,
		const struct asn1_cursor *	raw
	)

Identify X.509 certificate by raw certificate data.

Parameters

store	Certificate store, or NULL to use default
raw	Raw certificate data

Return values

cert	X.509 certificate, or NULL if not found

Definition at line 1746 of file x509.c.

                                                                      {
        struct x509_link *link;
        struct x509_certificate *cert;

        /* Use default certificate store if none specified */
        if ( ! store )
                store = &certstore;

        /* Search for certificate within store */
        list_for_each_entry ( link, &store->links, list ) {

                /* Check raw certificate data */
                cert = link->cert;
                if ( asn1_compare ( raw, &cert->raw ) == 0 )
                        return x509_found ( store, cert );
        }

        return NULL;
}

References asn1_compare(), certstore, link, list_for_each_entry, NULL, raw, x509_certificate::raw, x509_certificate::store, and x509_found().

Referenced by certstore_init(), and x509_certificate().

x509_find_subject()

struct x509_certificate* x509_find_subject	(	struct x509_chain *	store,
		const struct asn1_cursor *	subject
	)

Identify X.509 certificate by subject.

Parameters

store	Certificate store, or NULL to use default
subject	Subject

Return values

cert	X.509 certificate, or NULL if not found

Definition at line 1775 of file x509.c.

                                                        {
        struct x509_link *link;
        struct x509_certificate *cert;

        /* Use default certificate store if none specified */
        if ( ! store )
                store = &certstore;

        /* Scan through certificate list */
        list_for_each_entry ( link, &store->links, list ) {

                /* Check subject */
                cert = link->cert;
                if ( asn1_compare ( subject, &cert->subject.raw ) == 0 )
                        return x509_found ( store, cert );
        }

        return NULL;
}

References asn1_compare(), certstore, link, list_for_each_entry, NULL, x509_subject::raw, x509_certificate::store, x509_certificate::subject, and x509_found().

Referenced by x509_auto_append().

x509_find_issuer_serial()

struct x509_certificate* x509_find_issuer_serial	(	struct x509_chain *	store,
		const struct asn1_cursor *	issuer,
		const struct asn1_cursor *	serial
	)

Identify X.509 certificate by issuer and serial number.

Parameters

store	Certificate store, or NULL to use default
issuer	Issuer
serial	Serial number

Return values

cert	X.509 certificate, or NULL if not found

Definition at line 1805 of file x509.c.

                                                             {
        struct x509_link *link;
        struct x509_certificate *cert;

        /* Use default certificate store if none specified */
        if ( ! store )
                store = &certstore;

        /* Scan through certificate list */
        list_for_each_entry ( link, &store->links, list ) {

                /* Check issuer and serial number */
                cert = link->cert;
                if ( ( asn1_compare ( issuer, &cert->issuer.raw ) == 0 ) &&
                     ( asn1_compare ( serial, &cert->serial.raw ) == 0 ) )
                        return x509_found ( store, cert );
        }

        return NULL;
}

References asn1_compare(), certstore, x509_certificate::issuer, link, list_for_each_entry, NULL, x509_issuer::raw, x509_serial::raw, serial, x509_certificate::serial, x509_certificate::store, and x509_found().

Referenced by cms_parse_identifier().

x509_find_key()

struct x509_certificate* x509_find_key	(	struct x509_chain *	store,
		struct private_key *	key
	)

Identify X.509 certificate by corresponding public key.

Parameters

store	Certificate store, or NULL to use default
key	Private key

Return values

cert	X.509 certificate, or NULL if not found

Definition at line 1835 of file x509.c.

                                                                    {
        struct x509_link *link;
        struct x509_certificate *cert;

        /* Use default certificate store if none specified */
        if ( ! store )
                store = &certstore;

        /* Scan through certificate list */
        list_for_each_entry ( link, &store->links, list ) {

                /* Check public key */
                cert = link->cert;
                if ( pubkey_match ( cert->signature_algorithm->pubkey,
                                    privkey_cursor ( key ),
                                    &cert->subject.public_key.raw ) == 0 )
                        return x509_found ( store, cert );
        }

        return NULL;
}

References certstore, key, link, list_for_each_entry, NULL, privkey_cursor(), asn1_algorithm::pubkey, pubkey_match(), x509_subject::public_key, x509_public_key::raw, x509_certificate::signature_algorithm, x509_certificate::store, x509_certificate::subject, and x509_found().

Referenced by cms_keypair_okx(), cms_recipient(), and tls_new_certificate_request().

x509_auto_append()

int x509_auto_append	(	struct x509_chain *	chain,
		struct x509_chain *	store
	)

Append X.509 certificates to X.509 certificate chain.

Parameters

chain	X.509 certificate chain
store	Certificate store, or NULL to use default

Return values

rc	Return status code

Certificates will be automatically appended to the chain based upon the subject and issuer names.

Definition at line 1868 of file x509.c.

                                                                            {
        struct x509_certificate *cert;
        struct x509_certificate *previous;
        int rc;

        /* Get current certificate */
        cert = x509_last ( chain );
        if ( ! cert ) {
                DBGC ( chain, "X509 chain %p has no certificates\n", chain );
                return -EACCES_EMPTY;
        }

        /* Append certificates, in order */
        while ( 1 ) {

                /* Find issuing certificate */
                previous = cert;
                cert = x509_find_subject ( store, &cert->issuer.raw );
                if ( ! cert )
                        break;
                if ( cert == previous )
                        break;

                /* Append certificate to chain */
                if ( ( rc = x509_append ( chain, cert ) ) != 0 )
                        return rc;
        }

        return 0;
}

References DBGC, EACCES_EMPTY, x509_certificate::issuer, x509_issuer::raw, rc, x509_certificate::store, x509_append(), x509_find_subject(), and x509_last().

Referenced by cms_parse_identifier(), tls_new_certificate_request(), validator_append(), and x509_validate_chain().

x509_validate_chain()

int x509_validate_chain	(	struct x509_chain *	chain,
		time_t	time,
		struct x509_chain *	store,
		struct x509_root *	root
	)

Validate X.509 certificate chain.

Parameters

chain	X.509 certificate chain
time	Time at which to validate certificates
store	Certificate store, or NULL to use default
root	Root certificate list, or NULL to use default

Return values

rc	Return status code

Definition at line 1908 of file x509.c.

                                                                             {
        struct x509_certificate *issuer = NULL;
        struct x509_link *link;
        int rc;

        /* Append any applicable certificates from the certificate store */
        if ( ( rc = x509_auto_append ( chain, store ) ) != 0 )
                return rc;

        /* Find first certificate that can be validated as a
         * standalone (i.e.  is already valid, or can be validated as
         * a trusted root certificate).
         */
        list_for_each_entry ( link, &chain->links, list ) {

                /* Try validating this certificate as a standalone */
                if ( ( rc = x509_validate ( link->cert, NULL, time,
                                            root ) ) != 0 )
                        continue;

                /* Work back up to start of chain, performing pairwise
                 * validation.
                 */
                issuer = link->cert;
                list_for_each_entry_continue_reverse ( link, &chain->links,
                                                       list ) {

                        /* Validate this certificate against its issuer */
                        if ( ( rc = x509_validate ( link->cert, issuer, time,
                                                    root ) ) != 0 )
                                return rc;
                        issuer = link->cert;
                }

                return 0;
        }

        DBGC ( chain, "X509 chain %p found no usable certificates\n", chain );
        return -EACCES_USELESS;
}

References DBGC, EACCES_USELESS, x509_certificate::issuer, link, x509_chain::links, x509_link::list, list_for_each_entry, list_for_each_entry_continue_reverse, NULL, rc, root, x509_auto_append(), and x509_validate().

Referenced by cms_verify_signer(), validator_step(), x509_validate_chain_fail_okx(), and x509_validate_chain_okx().

image_x509()

int image_x509	(	struct image *	image,
		size_t	offset,
		struct x509_certificate **	cert
	)

Extract X.509 certificate object from image.

Parameters

image	Image
offset	Offset within image

Return values

cert	X.509 certificate
next	Offset to next image, or negative error

On success, the caller holds a reference to the X.509 certificate, and is responsible for ultimately calling x509_put().

Definition at line 1961 of file x509.c.

                                                  {
        struct asn1_cursor *cursor;
        int next;
        int rc;

        /* Get ASN.1 object */
        next = image_asn1 ( image, offset, &cursor );
        if ( next < 0 ) {
                rc = next;
                goto err_asn1;
        }

        /* Parse certificate */
        if ( ( rc = x509_certificate ( cursor->data, cursor->len,
                                       cert ) ) != 0 )
                goto err_certificate;

        /* Free ASN.1 object */
        free ( cursor );

        return next;

        x509_put ( *cert );
 err_certificate:
        free ( cursor );
 err_asn1:
        return rc;
}

References asn1_cursor::data, free, image_asn1(), asn1_cursor::len, next, offset, rc, and x509_put().

Referenced by cert_exec().

REQUIRING_SYMBOL()

REQUIRING_SYMBOL

(

x509_validate

)

REQUIRE_OBJECT() [1/2]

REQUIRE_OBJECT

(

certstore

)

REQUIRE_OBJECT() [2/2]

REQUIRE_OBJECT

(

config_crypto

)

Variable Documentation

oid_common_name

uint8_t oid_common_name[] = { ASN1_OID_COMMON_NAME }

static

"commonName" object identifier

Definition at line 171 of file x509.c.

oid_common_name_cursor

struct asn1_cursor oid_common_name_cursor

static

Initial value:

=
        ASN1_CURSOR ( oid_common_name )

"commonName" object identifier cursor

Definition at line 174 of file x509.c.

Referenced by x509_parse_common_name().

oid_code_signing

uint8_t oid_code_signing[] = { ASN1_OID_CODESIGNING }

static

"id-kp-codeSigning" object identifier

Definition at line 535 of file x509.c.

oid_ocsp_signing

uint8_t oid_ocsp_signing[] = { ASN1_OID_OCSPSIGNING }

static

"id-kp-OCSPSigning" object identifier

Definition at line 538 of file x509.c.

x509_key_purposes

struct x509_key_purpose x509_key_purposes[]

static

Initial value:

= {
        {
                .name = "codeSigning",
                .bits = X509_CODE_SIGNING,
                .oid = ASN1_CURSOR ( oid_code_signing ),
        },
        {
                .name = "ocspSigning",
                .bits = X509_OCSP_SIGNING,
                .oid = ASN1_CURSOR ( oid_ocsp_signing ),
        },
}

Supported key purposes.

Definition at line 541 of file x509.c.

Referenced by x509_parse_key_purpose().

oid_ad_ocsp

uint8_t oid_ad_ocsp[] = { ASN1_OID_OCSP }

static

"id-ad-ocsp" object identifier

Definition at line 647 of file x509.c.

x509_access_methods

struct x509_access_method x509_access_methods[]

static

Initial value:

= {
        {
                .name = "OCSP",
                .oid = ASN1_CURSOR ( oid_ad_ocsp ),
                .parse = x509_parse_ocsp,
        },
}

Supported access methods.

Definition at line 650 of file x509.c.

Referenced by x509_find_access_method().

oid_ce_basic_constraints

uint8_t oid_ce_basic_constraints[]

static

Initial value:

=
        { ASN1_OID_BASICCONSTRAINTS }

"id-ce-basicConstraints" object identifier

Definition at line 767 of file x509.c.

oid_ce_key_usage

uint8_t oid_ce_key_usage[]

static

Initial value:

=
        { ASN1_OID_KEYUSAGE }

"id-ce-keyUsage" object identifier

Definition at line 771 of file x509.c.

oid_ce_ext_key_usage

uint8_t oid_ce_ext_key_usage[]

static

Initial value:

=
        { ASN1_OID_EXTKEYUSAGE }

"id-ce-extKeyUsage" object identifier

Definition at line 775 of file x509.c.

oid_pe_authority_info_access

uint8_t oid_pe_authority_info_access[]

static

Initial value:

=
        { ASN1_OID_AUTHORITYINFOACCESS }

"id-pe-authorityInfoAccess" object identifier

Definition at line 779 of file x509.c.

oid_ce_subject_alt_name

uint8_t oid_ce_subject_alt_name[]

static

Initial value:

=
        { ASN1_OID_SUBJECTALTNAME }

"id-ce-subjectAltName" object identifier

Definition at line 783 of file x509.c.

x509_extensions

struct x509_extension x509_extensions[]

static

Initial value:

= {
        {
                .name = "basicConstraints",
                .oid = ASN1_CURSOR ( oid_ce_basic_constraints ),
                .parse = x509_parse_basic_constraints,
        },
        {
                .name = "keyUsage",
                .oid = ASN1_CURSOR ( oid_ce_key_usage ),
                .parse = x509_parse_key_usage,
        },
        {
                .name = "extKeyUsage",
                .oid = ASN1_CURSOR ( oid_ce_ext_key_usage ),
                .parse = x509_parse_extended_key_usage,
        },
        {
                .name = "authorityInfoAccess",
                .oid = ASN1_CURSOR ( oid_pe_authority_info_access ),
                .parse = x509_parse_authority_info_access,
        },
        {
                .name = "subjectAltName",
                .oid = ASN1_CURSOR ( oid_ce_subject_alt_name ),
                .parse = x509_parse_subject_alt_name,
        },
}

Supported certificate extensions.

Definition at line 787 of file x509.c.

Referenced by x509_find_extension().